From ciac@tholia.llnl.gov Fri Feb 6 00:26:48 1998
From: CIAC Mail User
To: ciac-bulletin@tholia.llnl.gov
Date: Wed, 4 Feb 1998 11:04:01 -0800 (PST)
Subject: CIAC Bulletin I-028: Vulnerabilities in CDE
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerabilities in CDE
January 30, 1998 23:00 GMT Number I-028
______________________________________________________________________________
PROBLEM: Several vulnerabilities have been found in some implemetations
of the Common Desktop Environment (CDE).
PLATFORM: Digital Equipment Corporation
Hewlett-Packard Company
HP9000 Series 700/800s running CDE on:
HP-UX 10.10, HP-UX 10.20,
HP-UX 10.24 (VVOS),
HP-UX 11.00
IBM Corporation
AIX 3.2: not vulnerable; CDE not shipped in 3.2
AIX 4.1, 4.2, 4.3
The Open Group (currently investigating)
SGI, refer to Triteal Corporation
Sun Microsystems
CDE versions 1.2, 1.2_x86, 1.02, 1.02_x86, 1.01, 1.01_x86
DAMAGE: Local users may be able to gain write access to arbitrary
files, which could lead to gaining privileged access. Local
users may possibly remove files from the arbitrary directories
causing a denial of service.
SOLUTION: Apply vendor patches or disable dtappgather.
______________________________________________________________________________
VULNERABILITY It is recommended that the vendor patches be installed as soon
ASSESSMENT: as possible.
______________________________________________________________________________
[ Start CERT Advisory ]
=============================================================================
CERT* Advisory CA-98.02
Original issue date: Jan. 21, 1998
Last revised: --
Topic: Vulnerabilities in CDE
- ------------------------------------------------------------------------------
The CERT Coordination Center has received reports of several vulnerabilities
in some implementations of the Common Desktop Environment (CDE). The root
cause of these vulnerabilities is that the dtappgather program does not
adequately check all information passed to it by users. As a result, it is
possible for a local user to gain unauthorized privileged access or cause a
denial of service on the system.
We recommend installing a vendor patch as soon as possible. Until you can do
so, we encourage you to disable vulnerable copies of the program. Section
III.A. of this advisory contains information on checking for potentially
vulnerable copies and disabling them. Section III.B and the appendix contain
vendor information.
We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.
- ------------------------------------------------------------------------------
I. Description
There are several vulnerabilities in some implementations of the Common
Desktop Environment (CDE). The root cause of these vulnerabilities is
that the setuid root program "dtappgather" does not adequately check all
information passed to it by users. By exploiting these vulnerabilities,
an attacker can gain either unauthorized privileged access or cause a
denial of service on the system.
II. Impact
Local users are able to gain write access to arbitrary files. This can be
leveraged to gain privileged access.
Local users may also be able to remove files from arbitrary directories,
thus causing a denial of service.
III. Solution
We recommend installing a vendor patch as soon as possible and disabling
the vulnerable program until you can do so. Instructions for determining
whether you have a potentially vulnerable version of this program are
given in Section A. Vendor patches are discussed in Section B.
A. How to check for and disable potentially vulnerable versions of
dtappgather
To find potentially vulnerable versions of dtappgather and to
disable those programs, use the following find(1) command or a
variant. Consult your local system documentation to determine how
to tailor the find(1) program on your system.
You will need to run the find(1) command on each system you
maintain because the command examines files on local disks only.
Substitute the names of your local file systems for
FILE_SYSTEM_NAMES in the example. Example local file system names
are /, /usr, and /var. You should do this as root.
Note that this is one long command, though we have separated
it onto three lines using backslashes.
find FILE_SYSTEM_NAMES -xdev -type f -user root \
-name 'dtappgather' -perm -04000 -exec ls -l '{}' \; \
-ok chmod u-s '{}' \;
This command will find all files on a system that
- are only in the file systems you name (FILE_SYSTEM_NAMES -xdev)
- are regular files (-type f)
- are owned by root (-user root)
- have the name "dtappgather" (-name 'dtappgather')
- are setuid (-perm -04000)
Once found, those files will
- have their names and details printed (-exec ls -l '{}')
- no longer be setuid root, but only if you type `y' in
response to the prompt (-ok chmod u-s '{}' \;)
Until you are able to install the appropriate patch, we recommend
that you remove the setuid bit from the dtappgather program. Note
that doing this will affect the functionality of the dtappgather
program for some users. For example, newly created users that have
not logged into the CDE desktop may not have any icons in the
Application Manager window; existing users may not notice any
change in functionality.
B. Obtain and install a patch for this problem.
If your vendor has a patch for this problem, we encourage you to
apply the patch as soon as possible.
Appendix A contains a list of vendors who have provided information
about this problem. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did
not hear from that vendor. Please contact your vendor directly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
Digital Equipment Corporation
- -------------------------------
At the time of writing this document, patches(binary kits) are in
progress. Distribution of the fix for this problem is expected to begin
soon. Digital will provide notice of the completion/availability of the
patches through AES services (DIA, DSNlink FLASH) and be available from
your normal Digital Support channel.
Hewlett-Packard Company
- ------------------------
This problem is addressed HP Security Bulletin 075. This bulletin can be
found at one of these URLs:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com
(for Europe)
Security Bulletin 075: Security Vulnerability in CDE on HP-UX
PLATFORM: HP9000 Series 700/800s running CDE on:
HP-UX 10.10, HP-UX 10.20,
HP-UX 10.24 (VVOS),
HP-UX 11.00
SOLUTION: Apply one of:
PHSS_13723 HP-UX 10.10
PHSS_13724 HP-UX 10.20
PHSS_13725 HP-UX 10.30
PHSS_13772 HP-UX 10.24
PHSS_13406 HP-UX 11.00
IBM Corporation
- ----------------
The version of dtappgather shipped with AIX is vulnerable. The
following fixes are in progress:
AIX 3.2: not vulnerable; CDE not shipped in 3.2
AIX 4.1: IX73436
AIX 4.2: IX73437
AIX 4.3: IX73438
To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".
IBM and AIX are registered trademarks of International Business Machines
Corporation.
The Open Group
- ---------------
The Open Group is investigating this vulnerability, and if reproduced
will develop a solution and provide a patch for its CDE licensees.
Silicon Graphics, Inc.
- -----------------------
Silicon Graphics provides only the third party TriTeal CDE product.
Triteal Corporation provides all support on the SGI offered CDE product.
Customers requiring support on the SGI CDE product should contact TriTeal
Corporation at 1-800-874-8325, or email support@triteal.com.
For other Silicon Graphics related security information, please see the
SGI Security Headquarters website located at:
http://www.sgi.com/Support/security/security.html
Sun Microsystems, Inc.
- -----------------------
105837-01 1.2
105837-01 1.2_x86
104498-02 1.02
104500-02 1.02_x86
104497-02 1.01
104499-02 1.01_x86
- ------------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).
[ End CERT Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT for the information
contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-018: FTP Bounce Vulnerability
I-019: Tools Generating IP Denial-of-Service Attacks
I-020: Cisco 7xx password buffer overflow - DOS
I-021: "smurf" IP Denial-of-Service Attacks
I-022: IBM AIX "routed" daemon Vulnerability
I-023: Macro Virus Update
I-024: CGI Security Hole in EWS1.1 Vulnerability
I-025: Windows NT based Web Servers File Access Vulnerability
I-026: Vulnerability in ssh-agent
I-027: HP-UX Vulnerabilities (CUE, CDE, land)
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNNem5LnzJzdsy3QZAQESMAQA0C76umRjVssPwvhfPAVQtQh1u0JuIS+T
oz5gJs3aW/+QLR/9DOruRMgBD+m5iGhs1hiq41YuShe9EyorfEc8gT5ekaj1w/rS
XLfUWeiy+PRevUh3juqP+o84GkD8x6ZY2cKHnQp4t8Iw4+v6mfP8tlxE87agHokG
/rzztonKawg=
=lvAO
-----END PGP SIGNATURE-----